Blogs

RedMonk

Skip to content

You Can Pry My Gmail Delete Button From My Cold, Dead Fingers

Lots of coverage on the recently announced – and very severe – Greasemonkey vulnerability. While the title of this entry is in jest, the actual security implications are not so amusing. Discovered by Mark Pilgrim, the flaw means that Greasemonkey versions I’m aware of how badly this sucks for many of you. Please accept my deepest personal apologies and realize that I’ll do my best to get a fixed Greasemonkey available just as soon as possible.

I’m inclined to agree with the first commenter on the thread, who said:

I’d say : bugs happen, Greasemonkey is truly awesome and a hint of the future and you shouldn’t be apologizing. The bleeding edge of the web can cut :-)

Accountability is good, and this does need to be fixed ASAP, but these things happen to the best of us. Whether you’re a big shop or small, security is always a difficult problem to address – and can never be “solved.”

While the title was as already mentioned intended as a joke, however, there’s a kernel of truth in there. Some of the GM addins I can do without, but others I have come to rely on. I’m essentially addicted to the services that GM provides, and find the prospect of losing some of the added functionality very unattractive. So given that the vulnerability is only exposed to the pages that match an existing script, I have – against Pilgrim’s advice – not uninstalled GM, but just the scripts that are applied universally. My Gmail Delete button is still in full effect, and all I can say is that if Google wants to traverse my local directories, they can knock themselves out ;)

Categories: Product Announcements.

  • http://greaseblog.blogspot.com Jeremy Dunck

    If you’re going to run an unsafe version, please make sure that your scripts (even non-universal ones) have an @include that you intend.

    @include *mail.google.com/* is fine.
    @include *mail.google.* isn’t, nor is *mail.google.com*. They’ll match mail.google.com.evil.com. Then all someone has to do is phish you over to mail.google.com.evil.com, and you’re done.

    Just an explanatory note of caution, not intended as FUD.

  • Jeremy Dunck

    And hey, just to illustrate how touchy this is,
    it turns out that the one I said was ok:
    *mail.google.com/*
    is -not- OK, because this also matches:
    http://evil.com/mail.google.com/mwahaha

    So, like giving condoms to kids whilst urging abstinence– be careful out there!